What causes VPN not connecting for remote workers?

VPN gateway certificate expired (most common — annually missed) • RADIUS/identity provider reachability lost • Firewall licence expired (UTM features stop, sometimes including SSL VPN) • Split-tunnel routing pushed wrong subnets • Client app version incompatible with gateway after firmware update

How do I resolve VPN not connecting for remote workers?

Restore reachability to the gateway • Replace / renew certificate, restore IdP, restore licence • Validate routing / split-tunnel / firewall rules • Roll back firmware if version-related • Post-incident: document and add monitoring

How do I prevent VPN not connecting for remote workers?

Certificate expiry monitoring (90/30/7-day alerts) • Annual firewall / VPN licence renewal calendared • Firmware change-control with rollback path tested • Failover gateway for business-critical environments • IdP availability monitored

P1 · Remote Access & VPN

VPN not connecting for remote workers

Remote staff can't connect. Vendor-neutral diagnostic flow: certificate → authentication → routing → policy → licence → client.

Indicators

Client error: certificate not trusted, certificate expired, IKE phase failure
Authentication succeeds but no traffic flows (split-tunnel / route push issue)
Some users connect, others don't — points to identity / group policy
Tunnel up but DNS / RDP / file share don't work — split-DNS or routing

Likely causes

VPN gateway certificate expired (most common — annually missed)
RADIUS/identity provider reachability lost
Firewall licence expired (UTM features stop, sometimes including SSL VPN)
Split-tunnel routing pushed wrong subnets
Client app version incompatible with gateway after firmware update

Diagnostic steps

Test connectivity to the gateway public IP on the VPN port (TCP 443 SSL VPN, UDP 500/4500 IKEv2). If unreachable from outside, ISP / firewall / port issue first
Check certificate: expiry, chain, and SAN matching the FQDN clients use
Authentication: test against the IdP backend separately (RADIUS test from CLI, or SAML trace via Fiddler)
Inspect tunnel state on gateway: get vpn ipsec tunnel summary (Fortinet), show vpn-sessiondb (Cisco), event log (SonicWall)
If tunnel up but no traffic: confirm pushed routes, check policy / firewall rules from VPN zone to internal
Verify firewall licence active (UTM/SSL VPN often gated)

Resolution path

Restore reachability to the gateway
Replace / renew certificate, restore IdP, restore licence
Validate routing / split-tunnel / firewall rules
Roll back firmware if version-related
Post-incident: document and add monitoring

Prevention

Certificate expiry monitoring (90/30/7-day alerts)
Annual firewall / VPN licence renewal calendared
Firmware change-control with rollback path tested
Failover gateway for business-critical environments
IdP availability monitored

Tools

FortiGate CLI: get vpn ssl monitor, diagnose debug application sslvpn
Cisco ASA / Firepower: show vpn-sessiondb, debug crypto isakmp
SonicWall: VPN status, log filter on VPN events
Meraki dashboard: Client VPN events log
Wireshark on client (filter ESP / IKE)
OpenSSL s_client for certificate validation

References

Vendor admin guides (Fortinet, SonicWall, Cisco, Meraki, WatchGuard)
Microsoft Learn — Always On VPN troubleshooting
Engineer Direct guide — VPN diagnostic checklist

vpnfirewallfortinetsonicwallmerakiciscocertificate